the five essential elements of corporate compliance...(npa later calls that person an employee of...
Post on 15-Mar-2020
2 Views
Preview:
TRANSCRIPT
1
The Five Essential Elements of Effective Corporate Compliance: A Practical Guide to an Effective Compliance Program as Seen Through the Eyes of a Compliance Officer the DoJ and the SECa Compliance Officer, the DoJ and the SEC
Stephen Martin, Baker & McKenzie (Washington DC)Marc Litt, Baker & McKenzie (New York)Laurel Burke, Associate General Counsel - Compliance Regal-Beloit Corporation
SCCE’s Annual Compliance & Ethics InstituteChicago, IllinoisSeptember 16, 2014
Agenda
– Introductions
– The Five Essential Element of Effective Corporate Compliance
Wh t i th G t L ki f i C li– What is the Government Looking for in a Compliance Program?
– The Five Elements in Practice: A Practical Guide to Meeting Governmental Expectations and Best Practices
– Questions
2
© 2014 Baker & McKenzie LLP
The Five Essential Elements of Corporate Compliance
2
Five Essential Elements of Corporate Compliance
Risk Assessment
Leadership
Baker & McKenzie has distilled the key themes from the compliance program expectations of government regulators around the world and best practices into five essential elements of corporate compliance that should be present in every company’s compliance program.
© 2014 Baker & McKenzie LLP 4
Monitoring, Auditing and Response
Training and Communication
Standards and Controls
Risk Assessment
Sources of Corporate Compliance Guidance
USSG’s 7 Elements of an Effective Compliance Program
1. Standards and procedures to prevent and detect criminal conduct
2. Leaders understand / oversee the compliance program to verify effectiveness and adequacy of support; specific individuals vested with implementation authority / responsibility
13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance
1. Risk assessment as basis for effective internal controls and compliance program
2. Policy that clearly and visibly states bribery is prohibited
3. Training – periodic, documented
4. Responsibility – individuals at all levels should be responsible for monitoring
5 S t f i t t li it
UK’s 6 Principles for “Adequate Procedures”
1. Proportionate procedures
2. Top level commitment
3. Risk assessment
4. Due diligence
5. Communication
USSG’s 7 Elements of an Effective Compliance Program
1. Standards and procedures to prevent and detect criminal conduct
2. Leaders understand / oversee the compliance program to verify effectiveness and adequacy of support; specific individuals vested with implementation authority / responsibility
13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance
1. Risk assessment as basis for effective internal controls and compliance program
2. Policy that clearly and visibly states bribery is prohibited
3. Training – periodic, documented
4. Responsibility – individuals at all levels should be responsible for monitoring
5 S t f i t t li it
UK’s 6 Principles for “Adequate Procedures”
1. Proportionate procedures
2. Top level commitment
3. Risk assessment
4. Due diligence
5. Communication
© 2014 Baker & McKenzie LLP 5
3. Deny leadership positions to people who have engaged in misconduct
4. Communicate standards and procedures of compliance program, and conduct effective training
5. Monitor and audit; maintain reporting mechanism
6. Provide incentives; discipline misconduct
7. Respond quickly to allegations and modify program
NOTE: A general provision requires periodic assessment of risk of criminal conduct and appropriate steps to design, implement, or modify each element to reduce risk
5. Support from senior management – strong, explicit and visible
6. Oversight by senior corporate officers with sufficient resources, authority, and access to Board
7. Specific risk areas – promulgation and implementation programs to address key issues
8. Business partners due diligence
9. Accounting – effective internal controls for accurate books and records
10. Guidance – provision of advice to ensure compliance
11. Reporting violations confidentially with no retaliation
12. Discipline for violations of policy
13. Re-assessment – regular review and necessary revisions
6. Monitoring and review3. Deny leadership positions to people who have engaged in misconduct
4. Communicate standards and procedures of compliance program, and conduct effective training
5. Monitor and audit; maintain reporting mechanism
6. Provide incentives; discipline misconduct
7. Respond quickly to allegations and modify program
NOTE: A general provision requires periodic assessment of risk of criminal conduct and appropriate steps to design, implement, or modify each element to reduce risk
5. Support from senior management – strong, explicit and visible
6. Oversight by senior corporate officers with sufficient resources, authority, and access to Board
7. Specific risk areas – promulgation and implementation programs to address key issues
8. Business partners due diligence
9. Accounting – effective internal controls for accurate books and records
10. Guidance – provision of advice to ensure compliance
11. Reporting violations confidentially with no retaliation
12. Discipline for violations of policy
13. Re-assessment – regular review and necessary revisions
6. Monitoring and review
KEY
• USSG – US Sentencing Guidelines
• OECD – Organisation for Economic Co-operation and Development
“Hallmarks of Effective Compliance Programs” from the joint DOJ/SEC 2012 FCPA Guidance
Hallmarks of Effective Compliance Programs
1. Commitment from Senior Management and Clearly Articulated Policy
2. Code of Conduct and Compliance Policies and Procedures
3. Oversight, Autonomy and Resources
Leadership
Five Essential Elements of Corporate Compliance
© 2013 Baker & McKenzie LLP 6
4. Risk Assessment
5. Training and Continuing Advice
6. Incentives and Disciplinary Measures
7. Third Party Due Diligence and Payments
8. Continuous Improvement: Periodic Testing and Review
9. Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration
Monitoring, Auditing and Response
Training and Communication
Standards and Controls
Risk Assessment
3
© 2014 Baker & McKenzie LLP
Current Enforcement Environment
Global Enforcement Trends
– Increased international cooperation in the prosecution of corruption Complex multi-jurisdictional investigations
U.K. Bribery law (limited enforcement to date)
Emerging market laws and prosecutions
Enforcement efforts in other countries: Brazil, Canada, and Australia
Increased emphasis on individual prosecutions
© 2014 Baker & McKenzie LLP
– Increased emphasis on individual prosecutions
– Strong interest in willful blindness and third parties
– Sector-wide targeting: financial services; pharmaceuticals and medical devices; freight forwarding; oil & gas services; and retail
– Dramatically increased penalties, including criminal fines and disgorgement of illicit profits measured in hundreds of millions of dollars
– Greater pressures and incentives to voluntarily disclose misconduct to regulators
8
U.S. Enforcement Risks Increasing in Certain Legal Areas
– Areas with significant enforcement risk include an ever-increasing number of issues: Data Protection/Privacy/Information Governance
Antitrust
Trade Compliance (Import/Export Controls, Sanctions, Customs)
© 2014 Baker & McKenzie LLP
Corruption/Bribery/Fraud (including FCPA)
Immigration/Global Mobility
Intellectual Property
Environmental
Labor & Employment (including Compensation and Incentives)
Sales/Marketing/Advertising
Supply Chain/3rd Party Relationships
Health & Safety
Governmental Contracting9
4
Top 20 FCPA Settlements (2005 – present)Siemens $800KBR/Halliburton $579BAE $400Total S.A. $398Alcoa $384ENI S.p.A. $365Technip $338JGC Corporation $219Daimler $185
2008
2009
2010 2013
2011
2012
© 2014 Baker & McKenzie LLP
Weatherford $152Alcatel-Lucent $137Hewlett-Packard $108Deutsch / Magyar Telekom $95Marubeni Corporation $88Panalpina $82Johnson & Johnson $70Pfizer / Wyeth $60ABB $58Pride International $56Marubeni Corporation $54
2014
10
Top 20 Non-US Cases (millions)
Thales SA France $913Siemens Germany $569Siemens Greece $366.1Ferrostaal Germany $193Man Group Germany $102.2BAE UK $47.9Siemens Nigeria $46.5Alstom Switzerland £42.6Fair Trade Commission 7 Pharma cases South Korea $19M ill UK $18 1
2008
2009
2010Macmillan UK $18.1Innospec Ltd UK $12.7 MW Kellogg UK $11.1Willis UK $11Mabey & Johnson UK $10.5Griffiths Energy International Canada $10.35Niko Resources Ltd. Canada $9.5Fair Trade Commission 6 Pharma cases South Korea $9.3 Abbot Group Limited UK $8.9AON Ltd UK $8.8Danish Oil-For-Food Actions (7 cases) Denmark $8.1
2011
2012
2013
11© 2014 Baker & McKenzie LLP
Recent Fines in US Sanctions/Export Controls
Company Industry Fine Year
1 BNP Paribas Financial Services $8.9 Billion 2014
2 HSBC Bank Financial Services $1.256 Billion 2012
3 Standard Chartered Bank Financial Services $667 Million 2012
4 ING Bank N.V. Financial Services $619 Million 2012
5 Credit Suisse AG Financial Services $536 Million 2009
© 2014 Baker & McKenzie LLP
5 Credit Suisse AG Financial Services $536 Million 2009
6 Royal Bank of Scotland(formerly ABN Amro Bank, N.V.)
Financial Services $500 Million 2014
7 BAE Systems PLC Defense Services $400 Million 2010
8 Barclays Bank PLC Financial Services $298 Million 2010
9 Mitsubishi UFJ Financial Services $259 Million 2013
10 Lloyds TSB Bank, plc Financial Services $217 Million 2010
11 Weatherford International Oil Services $252 Million 2013
12 Fokker Services BV Aircraft Services $50.9 Million 2014
12
5
Transparency International’s 2013 Corruption Perception Index
© 2014 Baker & McKenzie LLP 13
FCPA Enforcement Actions by Country (2010-2013)
© 2014 Baker & McKenzie LLP
14
14
© 2014 Baker & McKenzie LLP
The Case for Compliance
6
What is the Government Looking For – The “Three Basic Questions” About a Company’s Compliance Program
1. Is the program well-designed?
16
2. Is it being applied in good faith?
3. Does it work?
Case Study: Morgan Stanley
– Provides powerful evidence of the benefits of investing in an effective compliance program.
– A former Morgan Stanley Managing Director pled guilty to one count of conspiring to circumvent the system of internal controls that the bank maintained to prevent violations of the FCPA.
– Morgan Stanley’s pre-existing compliance program was specifically highlighted in press releases and public comments as the biggest reason
© 2014 Baker & McKenzie LLP
highlighted in press releases and public comments as the biggest reason for the Government’s decision not to prosecute the bank, enter into a deferred prosecution agreement or pursue a substantial fine. This marked the first public FCPA declination based upon the sufficiency of a company’s compliance program.
– April 25, 2012, U.S. Department of Justice Press Release:
"[C]onsidering... Morgan Stanley constructed and maintained a system of internal controls, which provided reasonable assurances that its employees were not bribing government officials, the [DOJ] declined to bring any enforcement action against Morgan Stanley related to Peterson's conduct."
17
Case Study: Morgan Stanley (cont’d)
– The decision not to prosecute was based on clear evidence of Morgan Stanley’s compliance program containing:
The existence of an effective compliance program;
Rigorous internal controls;
Regular compliance training and communications;
Internal policies addressing the corruption risks associated with the
© 2014 Baker & McKenzie LLP
giving of gifts, business entertainment, travel, lodging, meals, charitable contributions and employment, that were updated regularly to reflect regulatory developments and specific risks;
Compliance program monitoring and auditing; and
Extensive pre-retention due diligence on business partners and stringent controls on payments to business partners.
18
7
Case Study: Ralph Lauren Corporation
– Involved Ralph Lauren’s subsidiary in Argentina which bribed customs officials to assist in the passage of goods through customs. The General Manager for the Argentina subsidiary also provided gifts to three different government officials valued at between $400 and $14,000 to improperly secure the importation of products into Argentina.
– DOJ jurisdiction cited in Non-Prosecution Agreement (NPA) as based on Ralph Lauren (“RLC”) hiring the employee as General Manager of Argentinian subsidiary (NPA later calls that person an employee of the subsidiary itself)
© 2014 Baker & McKenzie LLP
(NPA later calls that person an employee of the subsidiary itself)
General Manager was an “employee and agent of the issuer,” per NPA
– RLC discovered the problem “after it put in place an enhanced compliance program and began training its employees.”
– Company entered into a NPA and agreed to pay $1.5 million, including disgorgement of $734,000 in illicit profits and interest
RLC also undertook extensive FCPA training for employees worldwide, enhanced the company’s existing FCPA policy, implemented an improved gift policy, and other compliance, control, and anti-corruption policies and procedures, strengthened its due diligence protocol for third-party agents, terminated culpable employees and a third-party agent, instituted a whistleblower hotline, and hired a designated corporate compliance attorney.
19
Case Study: Ralph Lauren Corporation (cont’d)
– SEC’s decision to resolve the case with the NPA was supported by the following factors:
1. RLC discovered the misconduct during the rollout of its new enhanced FCPA policy in 2010 (misconduct reported to management by an employee upon review of the new compliance policy.)
2. RLC, upon being notified of the concerns by employees, responded immediately to end the misconduct by terminating the customs broker, ceasing retail operations in Argentina
© 2014 Baker & McKenzie LLP
ceasing retail operations in Argentina.
3. RLC promptly reported preliminary findings of the internal investigation to the SEC.
4. The SEC credited RLC for its compliance program, which included (i) enhanced third-party due diligence procedures, (ii) a global risk assessment process, and (iii) significant improvement to its internal controls.
5. RLC’s comprehensive compliance program was developed and implemented before the problem was discovered.
6. The SEC also acknowledged extensive cooperation of the company during the investigation.
20
The Five Elements inThe Five Elements in Practice: A Practical Guide to Meeting Governmental Expectations and Best Practices
8
2222
Leadership Discussion
© 2014 Baker & McKenzie LLP
Risk Assessment Discussion
© 2014 Baker & McKenzie LLP
Risk Assessment Report Deliverables
9
Sample Slides - Opportunities for Enhancement of Compliance Program
Program Element Opportunities for Enhancement of the Compliance Program
Leadership
Interviews indicate there is room for increased focus on “tone at the middle” (i.e., compliance and ethical leadership at the middle management levels).
There is a need for more proactive, formal and/or planned compliance activities, particularly targeted to the sales function and/or Unit B.
Continue to enhance the coordination, integration and working relationship between Risk, Internal Audit and Compliance functions to ensure a strategic and comprehensive approach to risk management.
© 2014 Baker & McKenzie LLP
Risk Assessment
There is concern about the consistency of the compliance risk assessment process and approach across global business units.
Senior management needs appropriate tools and communication to dynamically anticipate, monitor and track risk across the organization.
Standards and Controls
Company is developing its third party vendor management capabilities; third party due diligence should be based on risk and regularly updated.
Company has many compliance-related policies which undergo periodic review but there is not a formal, centralized system to ensure policies are updated on a regular basis.
Training and Communication
Employees receive limited live training after the onboarding period. It is a compliance program best practice to provide live training at periodic intervals based on risk.
Monitoring, Auditing and
Response
Interviews suggest that there should be increased oversight and compliance auditing of high-risk functions such as benefit claims and sales.
25
Recommendations for Key Program Opportunities
Key Program Opportunities Recommendations
1. Strategic acquisition plans: Company A is pursuing a strategy of growth through acquisition of family owned businesses which are unlikely to have sufficient compliance programs and/or implemented anti-corruption practices.
Strengthen acquisition risk assessment. Develop protocols for compliance program integration.
2. Third-party management: Company A does not have sufficient awareness of the risk profile of its active third parties hampering the ability to conduct effective monitoring from a i k t ti
Conduct an inventory of Company A third parties.
© 2014 Baker & McKenzie LLP
risk management perspective.
3. Trade-related risk: Several risk factors were identified, including insufficient due diligence around the engagement of a third party with customs broker capabilities and new personnel on the customs management team.
Conduct a targeted review of third parties in higher risk trade functions.
4. Anti-corruption controls: There is limited clarity in Company A regarding who performs FCPA-related auditing and monitoring of country operations.
Document an 18-month compliance audit plan.
26
Related findings and recommendation details for each Key Program Opportunity are outlined in the full report.
Recommendations: Risk Assessment
Risk assessment - Compliance program best practices for this element are:
Conduct periodic, formal risk assessments Risk assessment as basis for instituting effective internal controls and compliance program elements
Recommendations Details
Conduct comprehensiverisk assessments
Conduct risk assessments in the following areas: Regional/country risks, particularly in China and other emerging markets, to provide
greater corporate line of sight into local management/operations and associated risks. Trade compliance and export controls compliance risks (note: implementation of single
SDN capability is in progress)
© 2014 Baker & McKenzie LLPATTORNEY CLIENT PRIVILEGED - CONFIDENTIAL
27
p y p g ) Antitrust/Competition risks
Establish a protocol for the periodic refresh of risk assessments
Develop a program for annual and/or on-going risk assessments in key areas, including: Compliance (e.g., FCPA, Antitrust/Competition, Trade, Data Protection, Third Parties) Region/Country Transactional Strategic Business Initiatives
Assessments should enable ABC Company to understand and regularly evaluate its risk profile
Strengthen the ERM process
Ensure that the risk management process and Risk Committee is being effectively utilized. Broaden ownership of process beyond the Risk Committee
Encourage the Risk Committee to consider a broad range of issues, including future business risks and/or internal issues that may not require public disclosure. Continue to use the ERM process to review explore financial, operational, regulatory/compliance, and enterprise risk
Develop protocols for monitoring and assessing implementation of mitigation plans
10
Sample Compliance Assessment – Heat Map
9b. Evaluate Resource Levels for Government Contracts
10b. Establish Safeguards for New Client Database
10c. Evaluate IT/Security Resource Levels
4c. Confidentiality & Trade Secrets Program Review
6. Conduct Global Privacy Review and Assessment (in Progress)
2. Audit Peer-Review Research Process
7. Create Crisis Management Response Program
9a. Review Government Contracts Controls10d. Coordinate on IT Audits13c. Audit/Monitor High Risk Contractors
Difficult to implement
© 2014 Baker & McKenzie LLP
g
1a. Expand Coordination Between Legal & Internal Audit1b. Augment Legal Resources3a. Implement Revised Code of Conduct8a. Survey and Document Government Interactions
4a. Implement Data Classification Policy (as Planned)
11. Conduct Annual Compliance & Ethics Risk Assessment
12a. Sales Agent Diligence
13a. Conduct Third-Party Diligence
5c. Develop Compliance Audit Plan
13b. Ensure Appropriate Third-Party Controls
4b. Publicize & Train on Confidentiality Policies5a. Review & Update Compliance Policies5b. Enhance Compliance Communications Plan8c. Annual FCPA Training Affirmation Process
3b. Code of Conduct Training3c. Develop Training Program & Log8b. Develop Live FCPA Training Process10a. Update Board on IT/Network Security
5d. Develop Investigation Protocol12b. Document Sales Agent Training Program
High Priority
Medium
Medium
Easy to implement
Lowpriority
Recommendations by Implementation Effort Required and Suggested Timing
RecommendationsImplementation Effort Required
Suggested Timing
Key
Pro
gra
m
Op
po
rtu
nit
ies 1. Strengthen acquisition risk assessment and compliance program integration l l Medium Year One
2. Clarify third-party risk by conducting an inventory of third parties l l Difficult Year One
3. Review the trade-related risks l l Medium Year One
4. Document a 18-month compliance audit plan l l Medium Year One
rity
On
e:e
1. Increase compliance messaging by senior leaders l l Easy Year One
2. Provide consistent anti-corruption compliance resources to employees at all levels l l Easy Year One
3. Ensure government interactions are properly handled and systematically tracked l l Easy / Medium Year One
4 E l l li i id t ll ti i t l t k d d l t d ll Easy Year One
© 2014 Baker & McKenzie LLP 29
Bes
t P
ract
ices
Pri
or
Co
reP
ract
ice 4. Ensure local compliance incidents or allegations are appropriately tracked and escalated l l Easy Year One
5. Provide anti-corruption compliance training at onboarding l l Easy Year One
6. Enhance compliance training and expand live training l l Medium Three Year Plan
7. Monitor labor union interactions and payments l l Easy / Medium Three Year Plan
8. Strengthen anti-corruption controls for Company Unit A l l Medium Three Year Plan
9. Increase oversight of trade associations l l Easy Three Year Plan
10. Regularly update internal policies to reflect issues, risks, and regulatory developments l l Medium Three Year Plan
Bes
t P
ract
ices
Pri
ori
ty
Tw
o:
Str
ateg
ic O
pti
on
s 11. Update the local risk assessment process to address anti-corruption or FCPA risk l l Easy Year One
12. Provide anti-corruption compliance materials to third parties l l Medium Three Year Plan
13. Review supply chain and logistics to streamline processes and identify risks l l Medium Three Year Plan
14. Review and refresh the compliance protocols around the key partnership l l Medium/Difficult Three Year Plan
15. Assess impact of IT system and infrastructure on anti-corruption risk management l l Difficult Three Year Plan
16. Address corruption risks faced by certain front-line employees l l Medium Three Year Plan
Roadmap: Year One (by priority and element)Priority Rank
RecommendationSuggested
Timing Implementation Effort Required
Related Element
Tier 1
(KPO) Expand compliance resources to assist in implementing and enhancing compliance program
Three Months
l l Medium Leadership
(KPO) Establish strategic food production management framework Six Months l l Medium Standards & Controls
(KPO) Enhance compliance training planning, structure and delivery Six Months l l Easy / Medium Training & Comm’n
Tier 2
(KPO) Ensure data security recommendations are implemented and establish appropriate protocols Six Months l l Easy / Medium Standards & Controls
Develop leadership capabilities in order to meet key compliance risks in functional areas Six Months l l Medium Leadership
Review overall sales and marketing strategy Six Months l l Easy Risk Assessment
Higher priority
ATTORNEY CLIENT PRIVILEGED - CONFIDENTIAL
© 2014 Baker & McKenzie LLP30
Tier 2(KPO) Strengthen the ERM process One Year l l Medium/Difficult Risk Assessment
(KPO) Coordinate on implementing and documenting the internal audit plan Ongoing l l Easy / Medium Monitor, Audit, Respond
Conduct comprehensive risk assessments of key activities Ongoing l l Medium Risk Assessment
Tier 3
Enhance the crisis response plan and integrate recall protocols One Year l l Easy / Medium Standards & Controls
Develop new policies and refresh existing policies and controls as needed Ongoing l l Medium Standards & Controls
Implement previously identified compliance / risk mitigation plans One Year l l Easy / Medium Standards & Controls
Create Human Resources policies for international expansion / global mobility One Year l l Medium Standards & Controls
Establish a policy management process One Year l l Easy Standards & Controls
Enhance training curriculum One Year l l Easy / Medium Training & Comm’n
Ensure sales training provided annually Ongoing l l Easy Training & Comm’n
Continually communicate compliance expectations Ongoing l l Easy Leadership
Lower priority
11
© 2014 Baker & McKenzie LLP
Standards & Controls Discussion
© 2014 Baker & McKenzie LLP
Training & Communications Discussion
© 2014 Baker & McKenzie LLP
Auditing, Monitoring and Response Discussion
12
Managing 3rd Party Risk
Ubiquitous Cross-Border Flows
Information Technology Raw Materials
35
Components Products Services
People Money Personal Data
Key Legal Areas
Anti-Bribery Employment Customs / Trade
36
Environment Privacy / Security
Competition / Antitrust
13
5 Essential Steps to Help Assess and Address 3rd Party Risk
Education & Structuring & Vetting &
37
&Training
Monitoring & Evaluating
Reacting & Remedying
g &Documenting
g &Selecting
© 2014 Baker & McKenzie LLP
Third-Party Due Diligence Program Overview
About Third-Party Due Diligence Programs
– Enforcement authorities across the globe expect companies to carefully review the corruption risk posed by third parties that sell products for, or act on behalf of, the company
– Implementing a third-party due diligence program, along with other measures, will help protect the organization from responsibility for any corrupt actions by its vendors, suppliers, and other third parties
A third party due diligence process should include the following:
© 2014 Baker & McKenzie LLP
– A third-party due diligence process should include the following:
Policies and materials necessary for onboarding new third-parties (and potentially alerting existing third-parties to the organization’s compliance expectations)
An active management program that enables the organization to maintain oversight of third-parties as appropriate
– The scope and threshold levels for the Due Diligence program should be determined by the organization’s Legal or Compliance team in accordance with the company’s assessment of risk and desired level of risk mitigation
39
14
Third-Party Due Diligence Program - Sample Materials
– Sample materials for a third-party due diligence program include: Pre-Assessment form: internal checklist indicating which third parties are
eligible for due diligence
Third Party Engagement / Due Diligence policy: informs target audience of company policy and the process
Due Diligence Questionnaire: provided to third party; used to gather relevant business information
R i P d id t b t i t ti f id tif i th
© 2014 Baker & McKenzie LLP
Review Procedures: provides step-by-step instructions for identifying the level of diligence required for third party
Reporting Form: used to compile and assess results of the due diligence
Approval Form: documents internal decisions and sign-offs
– The due diligence process can be conducted using internal resources or the process can be outsourced to an external vendor.
40
Third-party Due Diligence Program - Process Map
1• Use Internal Pre-Assessment to determine if third party eligible for enhanced due diligence. Eligible
Third Party provided with Due Diligence Questionnaire and Certification form.
2• Third Party submits Due Diligence Questionnaire to business team’s [Engagement Lead].
3• [Engagement Lead] completes Internal Reporting Form then submits materials to appropriate
resource for due diligence and internal processing.
For illustration purposes only
© 2014 Baker & McKenzie LLP 41
4• Designated resource reviews information to identify risk factors and/or red flags and ensures the
appropriate level of diligence is conducted.
5• After diligence is completed, results are documented on internal forms and if necessary, approvals
obtained. The final decision and other relevant documentation is sent to the [Engagement Lead].
Low Risk Medium Risk High Risk
Process: Sales VP reviewSales VP Review with Legal input
Additional Diligence, Sales VP, Legal Input
Approvals required:
None (but inform Country President)
Finance, and Country President
Finance, Country President and Regional President
Example of Due Diligence Review Process
Risk level Sample Factors Required Approvals
Low • Third party operates in low risk country (e.g. Denmark) • None (but inform Regional President)
Medium • Third party operates in a higher risk country (e.g. Brazil) • BEC• Finance, and• Regional President
© 2014 Baker & McKenzie LLP
High • Third party operates in a high risk country (e.g. Russia)• Third party CEO is politically exposed (e.g., former
Minister of Commerce)• Third party is domiciled in one country (e.g., Greece) but
banks in another (e.g. Switzerland)• Third party is partly or wholly owned by a government
agency
• BEC• Finance, • Regional President, and• CECO
Agent • Third party will act as an agent • BEC• Finance, • Regional President, and• CECO
15
Sample Due Diligence Options
– The internal review procedures should be calibrated to ensure third parties are consistently categorized based on the third party’s risk profile and/or red-flag behavior
Typical result is categorization of third party as Low, Medium or High risk
– Based on the risk category, the due diligence review may include: Internet search and analysis
Review all third party information to identify risk factors and/or red flags and ensure the appropriate level of diligence is conducted
© 2014 Baker & McKenzie LLP
Review of local and international media
Review of public records (Lexis/Nexis or similar database)
Screening against International Watch List and Database
Litigation searches from databases and local searches (where available)
Conversation with provided references
Reputation testing from industry and local sources
Business Intelligence on the Subject Company
Discreet inquiries to acquire information
– Due diligence frequency and scope can be based on third party relationship (new, ongoing, high-risk) and/or the type of contract (one-year, multi-year, evergreen).
43
44
Wrap-Up Questions
Final Takeaway: What Is Effective Corporate Compliance?
More than … It is …
A job title An active program
A vague set of generally A tangible set of policiesA vague set of generally understood moral principles
A tangible set of policies, procedures and practices
A special interest of a few employees
A priority of senior managers/BOD
A burden on business activityAn essential element of the strategic direction of enterprise
A Code of Conduct A risk-based compliance system
A one-time initiativeA dynamic process periodically reviewed and enhanced
16
Contact Information:Stephen Martin Marc LittManaging Director PartnerBaker & McKenzie Compliance Consulting Baker & McKenzie LLP815 Connecticut Avenue, NW 452 Fifth AvenueWashington, DC 20006 New York, New York 10018Tel: +1 303 345 3345 (Primary) Tel: +1 212 626 4454
46
Tel: 1 303 345 3345 (Primary) Tel: 1 212 626 4454Tel: +1 202 835 6167 (DC Office) Fax: +1 212 310 1802Fax: +1 202 416 7167 marc.litt@bakermckenzie.comstephen.martin@bakermckenzie.com
Laurel L. Burke Associate General Counsel - Compliance Regal-Beloit Corporation 200 State Street Beloit, Wisconsin 53511 Tel: 608.361.7416Fax: 608.364.8817 Email: laurel.burke@regalbeloit.com
top related